#ITSecurity: An In-depth Analysis of Linux/Ebury

ESET has been analyzing and tracking an OpenSSH backdoor and credential stealer named Linux/Ebury. The result of this work on the Linux/Ebury malware family is part of a joint research effort with CERT‑Bund, the Swedish National Infrastructure for Computing, the European Organization for Nuclear Research (CERN) and other organizations forming an international Working Group.

In this blog post, we provide an in-depth analysis of Linux/Ebury. It is a sophisticated backdoor used to steal OpenSSH credentials and maintain access to a compromised server. According to previous reports, this backdoor has been in the wild for at least two years. Linux/Ebury comes in two different shapes: a malicious library and a patch to the main OpenSSH binaries. The malicious library is a modified version of libkeyutils.so. This shared library is loaded by all OpenSSH executables files such as ssh, sshd and ssh-agent. We will describe how the backdoor works and how the OpenSSHfunctionalities are hooked. We will also show how passwords are captured and exfiltrated. Finally, we will provide detailed information on how system administrators can identify infected systems.